From 765f5997533e60d2bc3526504629d5dc80824a6d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Ond=C5=99ej=20Budai?= Date: Fri, 30 Oct 2020 14:35:11 +0100 Subject: [PATCH] test: generate certificates on fly instead of shipping them in the test RPM The certificate generation is based on work by Lars Karlitski in our osbuild CA. The server and client certs now contains Subject Alternative Name making Python's request module and Go 1.15 happy (they deprecated certificates without SAN). Several reasons why we want to switch to the certificate generation: 1) The pre-generated certificates are not documented. If someone wants to inspect them, he must know the right openssl incantation. This way, you are able to see what's inside the certificates in a plain text. 2) The pre-generated certificates are going to expire at one point and someone will be surprised. 3) Shipping private keys in RPMs is iffy. I know, it's just for testing but still... 4) Auth tests are generating their own certificates. To achieve consistency, we have two options: a) Ship also all certificates for auth tests. That's extra 8 ones or something like that. b) Generate all certificates on fly. This commit does that. 5) The setup introduced by this commit is very similar to the one in our CA making the test environment very similar to what's running in production. tl;dr: I think this is a good step forward. --- osbuild-composer.spec | 15 ++----- test/data/ca/ca-crt.pem | 19 -------- test/data/ca/ca-key.pem | 28 ------------ test/data/ca/client-crt.pem | 17 ------- test/data/ca/client-key.pem | 27 ----------- test/data/ca/composer-crt.pem | 17 ------- test/data/ca/composer-key.pem | 28 ------------ test/data/ca/worker-crt.pem | 17 ------- test/data/ca/worker-key.pem | 28 ------------ test/data/x509/openssl.cnf | 85 +++++++++++++++++++++++++++++++++++ tools/provision.sh | 78 ++++++++++++++++++++++++++++++-- 11 files changed, 163 insertions(+), 196 deletions(-) delete mode 100644 test/data/ca/ca-crt.pem delete mode 100644 test/data/ca/ca-key.pem delete mode 100644 test/data/ca/client-crt.pem delete mode 100644 test/data/ca/client-key.pem delete mode 100644 test/data/ca/composer-crt.pem delete mode 100644 test/data/ca/composer-key.pem delete mode 100644 test/data/ca/worker-crt.pem delete mode 100644 test/data/ca/worker-key.pem create mode 100644 test/data/x509/openssl.cnf diff --git a/osbuild-composer.spec b/osbuild-composer.spec index e9dd74085..74592a614 100644 --- a/osbuild-composer.spec +++ b/osbuild-composer.spec @@ -191,18 +191,6 @@ install -m 0644 -vp test/data/ansible/* %{buildroot}%{_d install -m 0755 -vd %{buildroot}%{_datadir}/tests/osbuild-composer/azure install -m 0644 -vp test/data/azure/* %{buildroot}%{_datadir}/tests/osbuild-composer/azure/ -install -m 0755 -vd %{buildroot}%{_datadir}/tests/osbuild-composer/ca -install -m 0644 -vp test/data/ca/ca-crt.pem %{buildroot}%{_datadir}/tests/osbuild-composer/ca/ -install -m 0600 -vp test/data/ca/ca-key.pem %{buildroot}%{_datadir}/tests/osbuild-composer/ca/ -install -m 0644 -vp test/data/ca/composer-crt.pem %{buildroot}%{_datadir}/tests/osbuild-composer/ca/ -install -m 0600 -vp test/data/ca/composer-key.pem %{buildroot}%{_datadir}/tests/osbuild-composer/ca/ -install -m 0644 -vp test/data/ca/worker-crt.pem %{buildroot}%{_datadir}/tests/osbuild-composer/ca/ -install -m 0600 -vp test/data/ca/worker-key.pem %{buildroot}%{_datadir}/tests/osbuild-composer/ca/ - -# Client keys are used by tests to access the composer APIs. Allow all users access. -install -m 0644 -vp test/data/ca/client-crt.pem %{buildroot}%{_datadir}/tests/osbuild-composer/ca/ -install -m 0644 -vp test/data/ca/client-key.pem %{buildroot}%{_datadir}/tests/osbuild-composer/ca/ - install -m 0755 -vd %{buildroot}%{_datadir}/tests/osbuild-composer/manifests install -m 0644 -vp test/data/manifests/* %{buildroot}%{_datadir}/tests/osbuild-composer/manifests/ @@ -225,6 +213,9 @@ install -m 0600 -vp test/data/keyring/id_rsa %{buildroot}%{_d install -m 0755 -vd %{buildroot}%{_datadir}/tests/osbuild-composer/koji install -m 0644 -vp test/data/koji/* %{buildroot}%{_datadir}/tests/osbuild-composer/koji/ +install -m 0755 -vd %{buildroot}%{_datadir}/tests/osbuild-composer/x509 +install -m 0644 -vp test/data/x509/* %{buildroot}%{_datadir}/tests/osbuild-composer/x509/ + %if 0%{?rhel} install -m 0755 -vd %{buildroot}%{_datadir}/tests/osbuild-composer/vendor install -m 0644 -vp test/data/vendor/87-podman-bridge.conflist %{buildroot}%{_datadir}/tests/osbuild-composer/vendor/ diff --git a/test/data/ca/ca-crt.pem b/test/data/ca/ca-crt.pem deleted file mode 100644 index 4ca50c170..000000000 --- a/test/data/ca/ca-crt.pem +++ /dev/null @@ -1,19 +0,0 @@ ------BEGIN CERTIFICATE----- -MIIDDTCCAfWgAwIBAgIUVrgJCBlYNv2uMIP04BH2fOTCPr4wDQYJKoZIhvcNAQEL -BQAwFjEUMBIGA1UEAwwLb3NidWlsZC5vcmcwHhcNMjAxMDA1MDgzODUzWhcNMjEx -MDA1MDgzODUzWjAWMRQwEgYDVQQDDAtvc2J1aWxkLm9yZzCCASIwDQYJKoZIhvcN -AQEBBQADggEPADCCAQoCggEBAMCii5Z8O+P3HfrYZmUVJAvQFSyxCvarpjSjopUD -J3VCFBa601swg5vDBSnDg0CRiW8r5LHi4seaOULD3OhttabeLZ5a4ESR98Q/XjcE -RWWOx9FdQkx1BXlpFDwbWHPTaKXhFfii35fjjmCoprCX6OVVGLfq95yfU7jj2wme -BfQoN/Xv+yXzYr6vCVOgTdG8Hc2G639xBf0zaZsDoJH5gtfxpD7s3HRLwN/XWy1e -800pHqdBji0Nt1Gz97K3x2HgqzmtX/cUfZN71AHEIt2DzhRjOQbfG0r/W2YztDJb -aZ3CultmJOCwXl5dGkSSmVYjB/y104XzbVMl0Mm0arq714kCAwEAAaNTMFEwHQYD -VR0OBBYEFFNDFT1jOr4HlFrICey0ukYdzq27MB8GA1UdIwQYMBaAFFNDFT1jOr4H -lFrICey0ukYdzq27MA8GA1UdEwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggEB -AAey3ciGtbfpzRwHL+KR5SqfVfxKI/LtVU74VFxFfMnVzAuFteV/k9CEHGxbCjmZ -nt4Z2vncLzGxJ3wnjm4GfzCCPKCfPdqD6bAwJ5tpDJyFWs0xOe2f9U5i1Yx5UHG+ -lIR1t/vlmPRkcC1lQlV+xhM/8MPJYl+0Bsjt2vjAvEbHEGifb2voJy2k1AabYwks -sDzkfC/0EU1MeHj8tjt98xVsGezdmduZMOee/OyhQ3Z5nuqKvQoiRCUBYVxPbxLV -bwwtECtHqs1DDMZSbc095BPMm4TuSMi1YqSiAcDQm776hff26mbeyEg0NROQ30M8 -8vu25FPz/AlY+0tb2/P7SGI= ------END CERTIFICATE----- diff --git a/test/data/ca/ca-key.pem b/test/data/ca/ca-key.pem deleted file mode 100644 index d991fa7e8..000000000 --- a/test/data/ca/ca-key.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDAoouWfDvj9x36 -2GZlFSQL0BUssQr2q6Y0o6KVAyd1QhQWutNbMIObwwUpw4NAkYlvK+Sx4uLHmjlC -w9zobbWm3i2eWuBEkffEP143BEVljsfRXUJMdQV5aRQ8G1hz02il4RX4ot+X445g -qKawl+jlVRi36vecn1O449sJngX0KDf17/sl82K+rwlToE3RvB3Nhut/cQX9M2mb -A6CR+YLX8aQ+7Nx0S8Df11stXvNNKR6nQY4tDbdRs/eyt8dh4Ks5rV/3FH2Te9QB -xCLdg84UYzkG3xtK/1tmM7QyW2mdwrpbZiTgsF5eXRpEkplWIwf8tdOF821TJdDJ -tGq6u9eJAgMBAAECggEBAJBA6NEPRXYoFu5C4SLvGugxsbme9rvTvIoMw/Jcw06e -5hZDX4UZJmUdPJ+SxpYypj13HDJN2k9o4Vpq++GeTnqgRH8iRHF08ZqnbXE7pJAx -xNa2xLAmravGkZ2VSL6r4ODfVqmzpkbC5Frj0LfLel9KQ1FvBm/mLDb3go6IJKM5 -sg78bfzKWPsDqCD4Wy37xtm53av63Tvqp7K54SWQ/tlGPZDLb0uUGgc5XMilp58o -FaUK4JY6+aH/q5SlhLkKR5TPClZZqUOqB3ccsIQUmx77MNogVi0tZJ9CPs6wGxHt -0/9bW+zaGsnaWaAQz9UVGOndC7MwKGN09wrEky/kiRECgYEA59kvyYZEzt0t6dm3 -0t+71vMMZpqz883WkT4hWIpQdMGSTM68lFBH5EoQhryegMxZ2/9iUAl1IS7+K0CT -57hV4JjNaHgux+sbAb2Kcr0H6GbZ05suksPrM7p9TXfCRizKSJUX8PxIaUOnIkcT -Ek7w4uwkB8k9Ar4LbI/L+bclf3UCgYEA1LOie2LeYDDUl+Qb/DK0RrhsQssfrxZH -McCgeSjsho5ncXumF1+dR7SE/ArgESm0Sw2mTbmKaMex13YFQeB+69RkmHE/C7w8 -L8iRLXcVkBn+AzI7K5zD3eiyZmk6zZS34Ka0DKIfW+RAgs3VqM8zCBVNCB/9Yt6a -oaeXzD1D6UUCgYEA0PEkZeOBY0RlOlihl4NWT1LenCFTh6a7dk2d06Ni+rXwWRP/ -U1I+V/h/iE24Mq73VJKFUUgUrQEiwmwCX1P64NwUUc/tqPGydxEQEnNVCxaVvGQf -xtiVwRqSDhydkoyPCHaFCwLxZxw3JWcUQu2tnXPezL2JJE2NEhtNYhCx1HkCgYA+ -kgV3RJNkOpkfgZQV8ZiEwVXfpD9S0zvoT+ElIzvJLXUStiwa7h6nbFw+hLh7dAg8 -l+xXKwCjaDNRzb8oLPFJULay/YVtX1dZOygx9rkaJftKV2l+n+QikISCiewpc9lP -tdp7aOnOr2umzwROX32EoDeD710ry44zhciq5U7n/QKBgCCLEU2UMUcGSgqP4gAF -5bg+W6vg5ivuajRPc7Kio4+DVWuppd8KZOtR8LaOUzYtCFjT90s5MEduDEbAq6bF -CdlALFkOlF/hJU2XzmSQEy4+UysT0jwEgMGTTaFnWoIJZZsUPzLUjZUrWrsFfnpc -WCxhsvYiBZIsGBgbKqjhfs+e ------END PRIVATE KEY----- diff --git a/test/data/ca/client-crt.pem b/test/data/ca/client-crt.pem deleted file mode 100644 index ddcb1c2f1..000000000 --- a/test/data/ca/client-crt.pem +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICujCCAaICFC4RtelruuDmzcZBjnKYe8QCuenxMA0GCSqGSIb3DQEBCwUAMBYx -FDASBgNVBAMMC29zYnVpbGQub3JnMB4XDTIwMTAwNzIxMDUzNloXDTIwMTEwNjIx -MDUzNlowHTEbMBkGA1UEAwwSY2xpZW50Lm9zYnVpbGQub3JnMIIBIjANBgkqhkiG -9w0BAQEFAAOCAQ8AMIIBCgKCAQEAmIpbWfEt5soZNPUJ3FXZgeJQNvA/i4aCOP0/ -FSWD36dWqYNyeZBrTdxYBSO44158Tzo4L0ETkdoBxXww3tZhN2t79r6KMdBRCHNG -hUY0C5uNmi+cfUvsh6jRg4VDmwk8DOiqVbLQ2rI36GyNfJy7MvDMjD3RbLfhFW7v -SUQQnqMRDi/uu107HrCD/O/YN288yul/2EhFTds0rFYKojybKFQxz9o1eWqW31ca -83NU5WqQUTSZ+NwnBXC/TrpNNIC6kzVgelDElL9NJU/dK++9vPkGZY5YGc44OiaG -wA21hypC2xJpL9FLiQ9jBaN/i935oKyLsQdcqsm4DOllT4TiDwIDAQABMA0GCSqG -SIb3DQEBCwUAA4IBAQBfJStg9ofmJJYWfgZHntkhCftwXlBVQKQKz7UTN9ZM+6Uc -NlAg9nmkFpK8e9u1HknL4JcdyjYdKzURHMPquvaaRAeUaXeg7LmJmO62VK0HIVHe -RtN9XdkJ3YmOC8htMBiIuObq+DMQ20mSEtMpkah812F2gno+lc60G2jYlqi9/oac -frVWGulHjufFdkEpTcLB6tleEKgH0Qj9BZdkk4fCfXTSdWKRXx2j3yRKFjUy2bG3 -jY1Vrbc9lbQhtbvDwnQwVAdNjmdw0TPSBzDiN48vliG3WVAybhMYaxWHkmPz/SS7 -Quq7hcFfV1LPJWzC0H1GTynkT8kJyjmi81XeS7/z ------END CERTIFICATE----- diff --git a/test/data/ca/client-key.pem b/test/data/ca/client-key.pem deleted file mode 100644 index 5b4d4cbe9..000000000 --- a/test/data/ca/client-key.pem +++ /dev/null @@ -1,27 +0,0 @@ ------BEGIN RSA PRIVATE KEY----- -MIIEogIBAAKCAQEAmIpbWfEt5soZNPUJ3FXZgeJQNvA/i4aCOP0/FSWD36dWqYNy -eZBrTdxYBSO44158Tzo4L0ETkdoBxXww3tZhN2t79r6KMdBRCHNGhUY0C5uNmi+c -fUvsh6jRg4VDmwk8DOiqVbLQ2rI36GyNfJy7MvDMjD3RbLfhFW7vSUQQnqMRDi/u -u107HrCD/O/YN288yul/2EhFTds0rFYKojybKFQxz9o1eWqW31ca83NU5WqQUTSZ -+NwnBXC/TrpNNIC6kzVgelDElL9NJU/dK++9vPkGZY5YGc44OiaGwA21hypC2xJp -L9FLiQ9jBaN/i935oKyLsQdcqsm4DOllT4TiDwIDAQABAoIBAAgL3E+9Qh+Xb4b0 -mgWOXb/VMUgEmkWA3eOlsCssZG1qxU6ByYsSDCb6RYZX4QvVUxdWydnsQ90As/E3 -4NgQVOZ4e/yDBoUkKPIaKpEjJ+Go3epRMp8FXz+0rwCSCgPmk81WhI2qtgujNQHE -oB3/onxIaXHIXQCwHmZkCKlDtuC3Qnh5kimTrEOeSZQYBX28UTyIScBDEH7c6FfY -P49FnW1kEsCdEb6kr2eAbjoET8jXrNYWE8Zr9B/QDmf22mPUEJB3mYmcKUOTQabR -WBq3vBL0xw47Jpt5U/CQfNrwe3AyyqN6aP33GnuVTd4I2RaCaK/YwRs0HEIzaLCI -iXPLVXkCgYEAyGVTr9wvET6zrL7whvc5nOSzxDCvb58bvr3HPPlF1onPQkXSIfRY -BtNnv+7giAzOjktO7uGQYHkiZfmSxQvKbVbZuJZ/09L3O9EPLRgqBchlceyyWWym -z2LXQBdrNYA/8OZ+qxfuPNPklTYDsnbRi2y7AXpwe8RtduIcS03Xgo0CgYEAwt27 -GMw8K9pRndK5hDePOvoEZJoiEnw20XqyGLX7+Vgh17epQygtvInWMqBEK8UsbzG+ -Im1KjODcXaBMdTmi8eO0cdDhiZ8DJRh+FU14pSs9AvVApPPOEkgPaVuYU7FxCLKE -v8TK9QjcywvGq2+UAZ9vbtEfBvCasGYGyic83gsCgYAOdQDslv3uSI+9zqiblApb -/0PYy4pciyX9RMOy6mjXaWnCZjcaq/4NwAKkHh+ksQfVzCkNosg/rX2FzdOA07Du -4m0im/js1zNu5U4q+qtNb3+iEGlteiEupPrSbN4XJgF256oLvdY6HS9IdHUf0uKb -JGT5XlPvGeSrxvQzmpIJoQKBgFi8BV2mauQBN1cpxOarMiLGBMgW09sdCw1a1Myh -2grSEh8b+AynuCP5lDtbdY+E6tX7jbw5jlAWeOJ9gzOCOmvxp5KIbptveEwlGgzz -STPVO6QkL/qtNrJmc/YjCntZ+sHeIMr+fvkTvw8K3r3kQj527pREz98mIxqeawsU -0Qe/AoGAU0XRhm/yzsKxHauksqgx+p5qDgoUpiS+KEKU1gCzYkbjI3cg4SNopaCb -DfcRwcblwuLnq7BY4n44F08n94u09s0InJdO2xmGrjY5cw7QqiI50B4FSb/KCXB7 -CnkT7DznceY2guHFT9Rm8j+1Q6EsSwy2BO4/iX6xIaNcKcw5JZk= ------END RSA PRIVATE KEY----- diff --git a/test/data/ca/composer-crt.pem b/test/data/ca/composer-crt.pem deleted file mode 100644 index b6676e089..000000000 --- a/test/data/ca/composer-crt.pem +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICsTCCAZkCFElB9131Tg40vCU0/10eVenAgwa/MA0GCSqGSIb3DQEBCwUAMBYx -FDASBgNVBAMMC29zYnVpbGQub3JnMB4XDTIwMTAwNTA4Mzg1M1oXDTIwMTEwNDA4 -Mzg1M1owFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOC -AQ8AMIIBCgKCAQEAxqmrytbO2mOd3x43nIyvX/G5+S5VpDITPs3KeeJEBUbB1nZa -GI7cC36c6bqGV6bnJGv3BdCL9z8L7BPPbSzy3NCvtQ5Q0bGsJgwX0Lkm/H1DzIbP -vmktBBrQJrn9L6h4x2e+wxLTOo7oM5NIROBdIDXzAXiJFR3J5TY0bYQH1WD4+xmX -vHHIIJignsrNl08ODruG0UGn/I9wMKu7pS3wlWbyHvzuPsUUi1cCxZowUp52l1GU -Y7b54R1zMX7yTkiY4rshKfDqkKLQwk0RphXF4SLVjfPM38gA2zTcXecAahn/Si2b -7VNmUD0NTMxf5UtCv0iqdUFLekgFOb8q1J+osQIDAQABMA0GCSqGSIb3DQEBCwUA -A4IBAQCaOtOFXGfjAQRMOrSiy62wigw+D26jml01krRDCch/8MiDtG9agX0qIQnP -hK/lkY4AbRqwMe9MugJmCBEgHDwgOgPX7GH+J8l/DbjOp1NUzD4rxy/bfTXLP+5j -dkUzD7GIedygTm4jGTxFE9P6iYo/Un0GffSIsjIWaXyGf2T6kn1oE8sygXwhNaqm -F1duIXbseNo4brXBwWncw/C0gw8dXZDzlozIKhUzH/Ff6Q3h1Axu/5uNV7Svmkb1 -pHg9faWkZHhLasm40LTGG2B83z3f38R2AwcRRkH5Wque1FwfT886XnF//E9dfGi8 -cr1i2trLhweFMp1w5qbbqojMYs3h ------END CERTIFICATE----- diff --git a/test/data/ca/composer-key.pem b/test/data/ca/composer-key.pem deleted file mode 100644 index 2efcf5b9d..000000000 --- a/test/data/ca/composer-key.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDGqavK1s7aY53f -HjecjK9f8bn5LlWkMhM+zcp54kQFRsHWdloYjtwLfpzpuoZXpucka/cF0Iv3Pwvs -E89tLPLc0K+1DlDRsawmDBfQuSb8fUPMhs++aS0EGtAmuf0vqHjHZ77DEtM6jugz -k0hE4F0gNfMBeIkVHcnlNjRthAfVYPj7GZe8ccggmKCeys2XTw4Ou4bRQaf8j3Aw -q7ulLfCVZvIe/O4+xRSLVwLFmjBSnnaXUZRjtvnhHXMxfvJOSJjiuyEp8OqQotDC -TRGmFcXhItWN88zfyADbNNxd5wBqGf9KLZvtU2ZQPQ1MzF/lS0K/SKp1QUt6SAU5 -vyrUn6ixAgMBAAECggEARR3o4ARGKWL5HRQ1QukLZvUBv/jn4N1vJq2QYUFgavmI -HOZGSD8DvZgKXaMAdGRkDJ7nbYV1/MpZioQF6bT2te6BAxv88EfBXeddLcgNEVE/ -klvg0R1khQYTHzYcKUWS58VncBUPmlL35GG8hgINRFSgvAVEpC0d/foS2XtTAmBC -IxJUr6C9TewK4R1psFMqUOhUJUwoAAN1HVN/zRQttOK9P5JYc4nl4UuaeQ0AYIro -OSvseKBCgD9fGFpeT0lM/rB5qBh+/25faUs3hhF6kQZcvVqDVfUi2FbkSeoqV5BB -Gr1LKzxK3TBsKzZIsJt/ZTcVlfXNho2F+WqWDADHQQKBgQD1ezi+8ItR8SE0j/1q -5jpevjFQWipzwCBjZFtJBYutlw76MbGV0YAPgNNXzTFi35N5b5FB0cvfQlD0bG1c -25xZw16hSiBh8uVpEpWcB2FQbtMg3N81T5TD/gVoZZpOSW9G0zdeRkQYPf+aNgaA -/bCI60Bnz7oqMCfAp9m1plplSQKBgQDPLOD5HCOS+gqyS7hHpb4aDetgKErHuxki -l9/jzWLt6QR3q7rVwvc91tbvJejQh+aL+vw5xfjyN8DnjHQ7qjV0pPyW86bpd1Cf -b2AlBnKc9kI2ghcWirod6lu3Xwm+LYboh6++cCyYuq8lsKzslMPluzbEZzi+r1p0 -WAuo9KnwKQKBgQCiZe5YgxHoF7l76HYiLkUXQIOnQL8s7EGA/3dUi5KoOHL0GcP9 -9SbfGr62K00st/P8Nk7GWGCjRmAAE2sWL0L0L0d/NGbP5bzXEjBflJJQf8C00Onp -fshQENDLC8xVVkeDd1/9wkZyMzHRd0Q+OZZ8PgXRp57lIg5qaaChh3ft4QKBgBKL -J8/kTuLW8qIm2OXA1hUq7ch7ksXx3zwTb/zJ43L8CmRTwLNlcg/c7PwW3pHbuC0L -WAwrxi6YAvI2xiiZAZPhOKKiSGxZO6QpqedmflfCSwbp+fsQi7wlv/PX091r4clq -a7aV/8fj3c131OKQJkCn0y0dOB0JQQVs5A5JZ/SRAoGBAO4JCRa7OGNYEd+C2XkK -JbZ7HFgnvFcdPVnH4AikrtJ2tujvz9npVpLHAgfbxxxqo3GTw/5hlY4MWftXrorf -FWwuO/dBeVWWN9P0tIp2IGuw+lXgUqgr3UPSJmxurlKNtQvggjxM55WT/mV6cYYi -dHkErd2bkiUF0KjuNz5VZD94 ------END PRIVATE KEY----- diff --git a/test/data/ca/worker-crt.pem b/test/data/ca/worker-crt.pem deleted file mode 100644 index 36e5e43e2..000000000 --- a/test/data/ca/worker-crt.pem +++ /dev/null @@ -1,17 +0,0 @@ ------BEGIN CERTIFICATE----- -MIICsTCCAZkCFElB9131Tg40vCU0/10eVenAgwbAMA0GCSqGSIb3DQEBCwUAMBYx -FDASBgNVBAMMC29zYnVpbGQub3JnMB4XDTIwMTAwNTA4Mzg1N1oXDTIwMTEwNDA4 -Mzg1N1owFDESMBAGA1UEAwwJbG9jYWxob3N0MIIBIjANBgkqhkiG9w0BAQEFAAOC -AQ8AMIIBCgKCAQEAwJ0dIkgyH0Vq82Xnuez6Y30AAUg8BmVdWhEXW07XBUYdjnqG -XoDDk2hyqSKlCo4wtOgajS9j08eZG09b/JuQOIzoOP39HkmMFYW2ocJFcNM07h5Z -X248ANyG4XorIQPk6HiJJd+hCKm6Pta5HgRC6MBy9RRl+DOxJRfyMxSmI3LaH52d -GvsjhSGWAp57ksappadLAcYhnMQDwqgUcG9mtRXcewo5r6ypDDDnv0DL8qs9H9uN -Bw46LeE8zrfS6fVOOMly0GWPjcTCk2AWKRnSFJo5eoVue1NYm1lwAtVXMeZ21IQp -tEVi/vl1CSo3j/wyp95cApCoTQkqt0zjng/uEQIDAQABMA0GCSqGSIb3DQEBCwUA -A4IBAQBV1IhkPMGhYVvomI/rvb+wXjUNnEZyg6VTfOxjVWdZfCisfTqk3uw4ar0t -43b4QExm2dl1IFFtrfnRlx3uN1MQ4biH2A1p8go6mWILRjo3zLA78RzA//BG05UZ -DN98VP6VdCjFDMpwvhfUXFZzWfenUIjACnqY/VaURI+iT92M9jG1qFS9s50dmDn3 -lK3prS+HSKNdHc3KDfYoFzPoTfpuwJv10tkQd4jSt2FJevlQpcuXyytW5UGJrTgN -UVHVevYJhOjMuLMZ77QvDJvF4XEkap1FPP/tGwbhMEIPnD3qWCjD3+HA/PXcHMRq -hk4DBD+WNpxL6zMgMqUwRdfsBzec ------END CERTIFICATE----- diff --git a/test/data/ca/worker-key.pem b/test/data/ca/worker-key.pem deleted file mode 100644 index 73a6f2ede..000000000 --- a/test/data/ca/worker-key.pem +++ /dev/null @@ -1,28 +0,0 @@ ------BEGIN PRIVATE KEY----- -MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDAnR0iSDIfRWrz -Zee57PpjfQABSDwGZV1aERdbTtcFRh2OeoZegMOTaHKpIqUKjjC06BqNL2PTx5kb -T1v8m5A4jOg4/f0eSYwVhbahwkVw0zTuHllfbjwA3IbheishA+ToeIkl36EIqbo+ -1rkeBELowHL1FGX4M7ElF/IzFKYjctofnZ0a+yOFIZYCnnuSxqmlp0sBxiGcxAPC -qBRwb2a1Fdx7CjmvrKkMMOe/QMvyqz0f240HDjot4TzOt9Lp9U44yXLQZY+NxMKT -YBYpGdIUmjl6hW57U1ibWXAC1Vcx5nbUhCm0RWL++XUJKjeP/DKn3lwCkKhNCSq3 -TOOeD+4RAgMBAAECggEBAI6J9oxvJwBzS7Fx4Wl7ENTdJUrNnPYSv2Gusj00+/SA -LdFJpPR8j78flXLLG53TGgJWnYeL4XFRDWHjeaxXpwPiatv6Qf3O6abnu/67GM5k -zo/Ez9jKaAcvK3XjBdW53wWWZdAsTSxvBlAIcRfgiW9bM/dgMBHclyRfMzJP/p7N -z+l2yKrizImojL/CXEG6BjkjpcS5l5hr8/DGCMCEes9CcQamFb281wPXdktICOHG -tkyR8+E571rr+nzDYdaTLFa5jLiFDbNdCk378c8T5eOWCGQayEwBUfd06h7Fqn95 -Jt6TdFbWz1bXykUyKAkmniqgRNDol/wR6WjlnBEejV0CgYEA5vhX0IEwLoqIJww8 -sttGDkVJXjwAHOb9FQy5uWcz0b7QeLS8pJaGbact0nveMM3HXl3A/uVWvMtpnrEk -vEfE2ZktxwFIiYbrqjTbDp2s0yvjDde/FHJD2UkP0mGnzLas/NwV+pljZ7iAev4q -GlpcSBrxaeFabxENWfx6NY75QwsCgYEA1XysqOzmUXiPCxTwOnz+k9/4E9d8cg79 -nuQo8vJ8lEAzKAxic434GX4ijsu7OE5SqMotrpUtwtruNOVliDnpyxRz4TdTwo+A -4MgZG3BkG2OZNGsg3VaTpMtdkLWnd3Zato2AwQrUhUGMDW+kf/vRGsCJOmVsVWg/ -1hlWxgekhNMCgYAxG3AgRrdlzdJw6usk4/YbJqQYww0LGBmLFi+OueCModNVNqg9 -HjvqqHbXn7p4CehvqeNUzpIIhf8o3GUBGwlBco4HF8DCbMtCXwaMLv4Fz/jwgoR/ -5mOCmUQh6N1yawyQnoKVy3MVJGc8vzlYbQnd0sytRFqj7q42CbY6GPHqTQKBgHoF -1956Aa8hfIk1/5U+qng1NOOKcEv1O4udF7a9WO2XwGWspn0r8VoI2ZHK6wjk46Qs -Y239QHm2jx7W23DAwVvdJdrdt9dmFKDmXktrsxxgkkn+zXsVqDAyORmkasMCeBkN -ykEMgqpj67wmSt0IPt3OnOEu5XvvqUUjmJB5/9QXAoGBALLyTFgqiJdQwhlDCmMD -eUpd4OW6NAmsOke+udhjcXMF+WNieDI6z4TWhwpoFjtdRsrMHmB5VXZFwkvh7L53 -hEis0a9DX+ltNdHysMyrDBww7DyAC3gesf+N9iblPERn1G7lukNU2JcvpeCrwgtf -gM0xvSJPc+eNOmM3aKQsA/l9 ------END PRIVATE KEY----- diff --git a/test/data/x509/openssl.cnf b/test/data/x509/openssl.cnf new file mode 100644 index 000000000..7ff0d5cca --- /dev/null +++ b/test/data/x509/openssl.cnf @@ -0,0 +1,85 @@ +# +# ca options +# + +[ca] +default_ca = osbuild_ca + +[osbuild_ca] +database = ./index.txt +new_certs_dir = ./certs +rand_serial = yes + +certificate = ca.cert.pem +private_key = private/ca.key.pem + +default_days = 3650 +default_md = sha256 + +x509_extensions = osbuild_ca_ext + +# See WARNINGS in `man openssl ca`. This is ok, becasue it only copies +# extensions that are not already specified in `osbuild_ca_ext`. +copy_extensions = copy + +preserve = no +policy = osbuild_ca_policy + +# We want to issue multiple certificates with the same subject in the +# testing environment. +unique_subject = no + + +[osbuild_ca_ext] +basicConstraints = critical, CA:TRUE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid:always, issuer:always +keyUsage = critical, digitalSignature, cRLSign, keyCertSign + + +[osbuild_ca_policy] +commonName = supplied +emailAddress = supplied + + +# +# Extensions for server certificates +# + +[osbuild_server_ext] +basicConstraints = critical, CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid, issuer:always +keyUsage = critical, digitalSignature, keyEncipherment +extendedKeyUsage = serverAuth + + +# +# Extensions for client certificates +# + +[osbuild_client_ext] +basicConstraints = CA:FALSE +subjectKeyIdentifier = hash +authorityKeyIdentifier = keyid,issuer +keyUsage = critical, nonRepudiation, digitalSignature, keyEncipherment +extendedKeyUsage = clientAuth + + +# +# req options +# + +[req] +default_md = sha256 +default_bits = 2048 +distinguished_name = osbuild_distinguished_name + + +# +# Only prompt for CN +# + +[osbuild_distinguished_name] +CN = Common Name +emailAddress = E-Mail Address diff --git a/tools/provision.sh b/tools/provision.sh index b942aa178..d5d273849 100755 --- a/tools/provision.sh +++ b/tools/provision.sh @@ -12,14 +12,86 @@ sudo mkdir -p /etc/osbuild-composer/repositories sudo cp -a /usr/share/tests/osbuild-composer/repositories/fedora-*.json \ /etc/osbuild-composer/repositories/ -sudo cp -a /usr/share/tests/osbuild-composer/ca/* \ - /etc/osbuild-composer/ -sudo chown _osbuild-composer /etc/osbuild-composer/composer-*.pem +# Generate all X.509 certificates for the tests +# The whole generation is done in a $CADIR to better represent how osbuild-ca +# it. +CERTDIR=/etc/osbuild-composer +OPENSSL_CONFIG=/usr/share/tests/osbuild-composer/x509/openssl.cnf +CADIR=/etc/osbuild-composer-test/ca + +# The $CADIR might exist from a previous test (current Schutzbot's imperfection) +sudo rm -rf $CADIR || true +sudo mkdir -p $CADIR + +pushd $CADIR + sudo mkdir certs private + sudo touch index.txt + + # Generate a CA. + sudo openssl req -config $OPENSSL_CONFIG \ + -keyout private/ca.key.pem \ + -new -nodes -x509 -extensions osbuild_ca_ext \ + -out ca.cert.pem -subj "/CN=osbuild.org" + + # Copy the private key to the location expected by the tests + sudo cp ca.cert.pem "$CERTDIR"/ca-crt.pem + + # Generate a composer certificate. + sudo openssl req -config $OPENSSL_CONFIG \ + -keyout "$CERTDIR"/composer-key.pem \ + -new -nodes \ + -out /tmp/composer-csr.pem \ + -subj "/CN=localhost/emailAddress=osbuild@example.com" \ + -addext "subjectAltName=DNS:localhost" + + sudo openssl ca -batch -config $OPENSSL_CONFIG \ + -extensions osbuild_server_ext \ + -in /tmp/composer-csr.pem \ + -out "$CERTDIR"/composer-crt.pem + + sudo chown _osbuild-composer "$CERTDIR"/composer-*.pem + + # Generate a worker certificate. + sudo openssl req -config $OPENSSL_CONFIG \ + -keyout "$CERTDIR"/worker-key.pem \ + -new -nodes \ + -out /tmp/worker-csr.pem \ + -subj "/CN=localhost/emailAddress=osbuild@example.com" \ + -addext "subjectAltName=DNS:localhost" + + sudo openssl ca -batch -config $OPENSSL_CONFIG \ + -extensions osbuild_client_ext \ + -in /tmp/worker-csr.pem \ + -out "$CERTDIR"/worker-crt.pem + + # Generate a client certificate. + sudo openssl req -config $OPENSSL_CONFIG \ + -keyout "$CERTDIR"/client-key.pem \ + -new -nodes \ + -out /tmp/client-csr.pem \ + -subj "/CN=client.osbuild.org/emailAddress=osbuild@example.com" \ + -addext "subjectAltName=DNS:client.osbuild.org" + + sudo openssl ca -batch -config $OPENSSL_CONFIG \ + -extensions osbuild_client_ext \ + -in /tmp/client-csr.pem \ + -out "$CERTDIR"/client-crt.pem + + # Client keys are used by tests to access the composer APIs. Allow all users access. + sudo chmod 644 "$CERTDIR"/client-key.pem + +popd sudo systemctl start osbuild-remote-worker.socket sudo systemctl start osbuild-composer.socket sudo systemctl start osbuild-composer-api.socket +# The keys were regenerated but osbuild-composer might be already running. +# Let's try to restart it. In ideal world, this shouldn't be needed as every +# test case is supposed to run on a pristine machine. However, this is +# currently not true on Schutzbot +sudo systemctl try-restart osbuild-composer + # Basic verification sudo composer-cli status show sudo composer-cli sources list